From: Frederick Lawler <fred@cloudflare.com>
To: kpsingh@kernel.org, revest@chromium.org, jackmanb@chromium.org
Cc: bpf@vger.kernel.org, kernel-team@cloudflare.com
Subject: BPF LSM prevent program unload
Date: Tue, 5 Dec 2023 14:38:57 -0600 [thread overview]
Message-ID: <ZW+KYViDT3HWtKI1@CMGLRV3> (raw)
Hi,
IIUC, LSMs are supposed to give us the ability to design policy around
unprivileged users and in addition to privileged users. As we expand
our usage of BPF LSM's, there are cases where we want to restrict
privileged users from unloading our progs. For instance, any privileged
user that wants to remove restrictions we've placed on privileged users.
We currently have a loader application doesn't leverage BPF skeletons. We
instead load BPF object files, and then pin the progs to a mount point that
is a bpf filesystem. On next run, if we have new policies, load in new
policies, and finally unload the old.
Here are some conditions a privileged user may unload programs:
umount /sys/fs/bpf
rm -rf /sys/fs/bpf/lsm
rm /sys/fs/bpf/lsm/some_prog
unlink /sys/fs/bpf/lsm/some_prog
This works because once we remove the last reference, the programs and
pinned maps are cleaned up.
Moving individual pins or moving the mount entirely with mount --move
do not perform any clean up operations. Lastly, bpftool doesn't currently
have the ability to unload LSM's AFAIK.
The few ideas I have floating around are:
1. Leverage some LSM hooks (BPF or otherwise) to restrict on the functions
security_sb_umount(), security_path_unlink(), security_inode_unlink().
Both security_path_unlink() and security_inode_unlink() handle the
unlink/remove case, but not the umount case.
3. Leverage SELinux/Apparmor to possibly handle these cases.
4. Introduce a security_bpf_prog_unload() to target hopefully the
umount and unlink cases at the same time.
5. Possible moonshot idea: introduce a interface to pin _specifically_
BPF LSM's to the kernel, and avoid the bpf sysfs problems all
together.
We're making the assumption this problem has been thought about before,
and are wondering if there's anything obvious we're missing here.
Fred
next reply other threads:[~2023-12-05 20:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-05 20:38 Frederick Lawler [this message]
2023-12-06 2:42 ` BPF LSM prevent program unload Yafang Shao
2023-12-06 15:02 ` Frederick Lawler
2023-12-07 2:28 ` Yafang Shao
2023-12-07 9:25 ` Tetsuo Handa
2023-12-07 17:34 ` Paul Moore
2023-12-07 20:05 ` Casey Schaufler
2023-12-07 14:01 ` KP Singh
2023-12-07 14:23 ` Yafang Shao
2023-12-07 14:38 ` KP Singh
2023-12-07 14:55 ` Yafang Shao
2023-12-07 15:04 ` KP Singh
2023-12-07 23:30 ` Frederick Lawler
2023-12-07 23:42 ` Song Liu
2023-12-08 0:21 ` Frederick Lawler
2023-12-08 5:17 ` Song Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZW+KYViDT3HWtKI1@CMGLRV3 \
--to=fred@cloudflare.com \
--cc=bpf@vger.kernel.org \
--cc=jackmanb@chromium.org \
--cc=kernel-team@cloudflare.com \
--cc=kpsingh@kernel.org \
--cc=revest@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox